Vast majority of malware attacks spawned from legit sites

Drive-by attacks not just from porn and warez sites, new Google data shows.

The vast majority of sites that push malware on their visitors are legitimate online services that have been hacked as opposed to those hosted by attackers for the purposes of distributing malicious software, Google security researchers said Tuesday.

The data, included for the first time as part of the safe browsing section of Google's regular transparency report, further challenges the myth that malware attacks happen only on disreputable sites, such as those that peddle porn, illicit software ("warez"), and similar content. For instance, on June 9 only 3,891 of the sites Google blocked as part of its Safe Browsing program were dedicated malware sites, while the remaining 39,247 sites that were filtered offered legitimate services that had been compromised.

In all, Google blocks about 10,000 sites per day as part of the program, which is designed to help people using Firefox, Chrome, and other participating browsers to steer clear of phishing scams and drive-by malware attacks. The program is also designed to inform webmasters of infections hitting their site and to take steps to fix the problems. In all, the Safe Browsing program helps protect about 1 billion people per day.

The new data helps flesh out anecdotal evidence that for years has suggested that many of the sites used to infect end-user computers are run by mom-and-pop webmasters, and in some cases large companies. The operator of a software developer website that compromised computers belonging to Apple, Facebook, and other companies, for instance, had no idea it had been booby-trapped by attackers. In the past few months, tens of thousands of sites—including those operated by The Los Angeles Times, Seagate, and other reputable companies—have come under the spell of an exploitation toolkit known as Darkleech.

Promoted Comments

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

As a fairly savvy but not super-guru-level user, I find this particular recommendation pretty daunting. Even with the ability to display the path for most processes (some don't show it), it's pretty hard to know what some of those things are, which duplicates are legitimate duplicates and which could be problematic, etc.

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

While I am sure that some of the legit sites actually do get exploited via SQL injection, zero day IIS/Apache holes, etc... I also think a very large percentage of legit site malware infections comes from the 3rd party ads that virtually every website serves up these days. These websites just have one or two (or a dozen) ad placeholders and just hope for the best when they let whatever ad companies they use serve ads to their customers. I have been on legit tech news sites (not this one yet) and in comes an attempted malware attack via a flash ad, or on a site that has no business with Java, I will get the "this site requires java" (since I don't have it installed on my machine) message, which I know is malware trying to wiggle its way in.

Site owners need to be more careful about what ad companies they use and what content will get served to your site from 3rd parties.

It's pretty sad that the old advice "don't go to porn sites if you don't want to get hacked" seems to be less and less useful since legitimate sites can deliver the malware right to your electronic doorstep now.

What were these sites doing? Are they informational sites with minimal scripting? Are they ecommerce sites for small shops? What is the nature of the attacks? These questions and others would help one fix problems.

I know there are bugs in various web tools, frameworks, etc. that could result in vulnerabilities which are compounded by coding errors. Java applets have had numerous reports to the point where it is recommended to avoid using Java applets.

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

I thought this was already common knowledge. Particularly with less than scrupulous ad networks basically selling whatever someone pays them to. The Ars article on "free" downloads is a good example of never trusting what someone else is selling (or "freely" giving away as the case may be). Legitimate sites often host ads to bring in revenue and those ads are often the vector for all kinds of malware. I'd rather trust a reputable porn site than some of the advertisers I've seen.

Yes, there has been anecdotal evidence for years supporting the theory that it's not just "dodgy" websites that do drive-by attacks. As the article states, this anecdotal evidence is backed up by a significant amount of data from Google.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

As a fairly savvy but not super-guru-level user, I find this particular recommendation pretty daunting. Even with the ability to display the path for most processes (some don't show it), it's pretty hard to know what some of those things are, which duplicates are legitimate duplicates and which could be problematic, etc.

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

Everything you say here is either obvious or gibberish, depending on the reader.

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

Everything you say here is either obvious or gibberish, depending on the reader.

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

These are all nice to say, but in a surprisingly large number of corporate environments doing things like: Not running Java, leaving the OS firewall running, or "stripping all potentially dangerous MIME types" is impractical, at best. Not to mention the amount of support traffic you would generate by having any business with users that need more than a dumb terminal not being local admins without serious corporate resources devoted full time to GPO care and grooming.

I think advertising-spread malware is the elephant in the room, here. How many of these "legitimate" sites spreading malware have been hacked, and how many are serving malware through the holes in their pages that they rent out to ad networks to fill with whatever they like?

There's only so much we can do on the client side. Uninstall Java and Flash, but what about Javascript? I've tried running NoScript, and it just breaks too much of the web.

Maybe it's time for responsible web sites to host their own advertising. It would be a huge disruptive change to the way they do business, I know. Maybe once a critical mass of their users are running ad-blocking software in self-defense it'll be cost effective. I don't know.

I think I'll call BS on "helps protect about 1 billion people per day." That just doesn't sound plausible to me. About 1/7 of the world's entire population? Every day? I know that internet usage statistics are now well past a billion users... the first hit from a quick google search shows about 2.4 billion as of about a year ago, so over 3 billion seems plausible. But every day? I'm betting someone just threw in that "every day" because it sounded impressive rather than because they actually meant anything like that. Perhaps a combination of "protects about a billion people" and "protects people every day". Hmm.

Yep, checking the cited page about the Google safe browsing program, it claims "We protect 600 million users". Not quite a billion, but I'll buy it as "about a billion" with liberal rounding up and perhaps the site's figures being a little old. But that doesn't say that many users every day. To the contrary, the site claims "Approximately 12-14 million Google Search queries per day show our warning". Now that's much more believable, relatively modest even. Two orders of magnitude less than "1 billion people per day"; and that's without accounting people who get multiple warnings in a day.

Or is this claim based on some notion that it is protecting users even when it does nothing or when the user didn't even get on the net that day? If so, might as well go whole hog and say it protects 7 billion people every day because even all those who have no internet connections are protected against the indirect fallout... or something.

Maybe it's just that I have drab browsing habbits, but I'm unprotected by AV or firewall and really haven't had much trouble over the past 15 years of surfing. I scan my computer with Windows Defender and Avira every once in a while to see what I've picked up and to make sure I'm not part of a botnet. And I have a clean disk image standing ready in case I really get messed up -- only takes a few minutes to restore.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

As a fairly savvy but not super-guru-level user, I find this particular recommendation pretty daunting. Even with the ability to display the path for most processes (some don't show it), it's pretty hard to know what some of those things are, which duplicates are legitimate duplicates and which could be problematic, etc.

Another awesome and often overlooked tool for this is the built in System Information (msinfo32.exe). Look in running tasks for EXEs and look in loaded modules for DLLs. Sort by folder. Sort by manufacturer. Bogies quickly stand out.

Actually, run that first to make sure you can trust subsequent investigation. If the machine has got a rootkit, the various tools mentioned could be lying to you because the malicious processes and files could be hidden.

It's the web sites for your local businesses and organizations that make up the bulk of these numbers. They run old versions of Joomla or Wordpress. They were set up by volunteers or the lowest bidder years ago, and they aren't maintained by any one person for more than a few months at a time. They're loaded with abandoned plugins and modifications made directly to the core code, making updates difficult. Nobody wants to pay to do the overhaul required to get them running on more modern systems, and make no mistake, an overhaul will be required.

The host is running some Hsphere or Cpanel shared-hosting automation system with at least hundreds but probably not thousands of customers all on one shared server. Injections from one site percolate throughout the whole server. The web-based tools don't provide enough access to fully remove infections even if the customer is aware of them, and the hosting provider is unable or uninterested in doing it themselves.

Convenient tools for throwing together web sites and hosting at low cost have fueled the proliferation of web site malware. It's a fire at a flea market.

Increasingly, web site operators need to be turning to hosts who specialize in the application and provide things like automatic updates, (the way someone like Wordpress.com does for Wordpress installations), and who can provide inexpensive VPSes to limit cross-contamination between customer sites.

An expert can no longer insist that keeping sites up-to-date and free of malware is anything but an ongoing process requiring good-faith collaboration between developers, administrators, and hosting providers. It's going to take time and cost money, and you can't just pay for it once. Unfortunately, it's a sprawling industry flooded with people doing it wrong, who self-identify adamantly as experts, who pump out brochure sites and then disappear, leaving the world to deal with the mess.

Adblock and browser extensions and careful, watchful browsing won't help you. Using something other than Windows might, but not for long, and you'll still be firing the base_64-encoded exploit code every time you load a compromised PHP page, triggering another batch of spam or another attack on another site.

The web is in its Windows 95 era. If and when hosting can get out of the $5-a-month ghetto, and if and when the broken, vulnerability-riddled platforms finally get replaced with something newer and more secure, then maybe we'll start making progress. But something tells me we'll be stuck with this crap for decades, until something finally compels hosting companies to rid their systems of ten-year-old garbage software.

These are all nice to say, but in a surprisingly large number of corporate environments doing things like: Not running Java, leaving the OS firewall running, or "stripping all potentially dangerous MIME types" is impractical, at best. Not to mention the amount of support traffic you would generate by having any business with users that need more than a dumb terminal not being local admins without serious corporate resources devoted full time to GPO care and grooming.

One thing and one thing only affects users with no local admin rights: they can't install software. Sure they can't make machine-wide OS changes either, but they a) don't care and b) 90% of users should not be doing it anyway because they should be running a standardized tested and approved OS image. Their gripe is always: can't install software.

So deploy managed applications. Deploy something like MS SCCM and let users install applications and packages from the application center. Every single app supported by the org can be published there, and users can install them on demand. No local admin rights needed. Another bonus: every app will be installed exactly the same way and will always work. No weird issues to work through due to user botched install.

GPOs have nothing to do with it. That's just centralized control over machine and user settings.

OS firewall running is the easiest thing, with exceptions created for whatever you need listening for inbound connections. The HTTP proxy... same thing. Balance can be struck between business needs and security. Just because it's hard it doesn't mean we should give up. Besides, blocking WMF because there's a damn exploit against it every few months will really not affect anyone. I was not necessarily talking about blocking useful dangerous content such as EXE.

AdBlock Plus is most definitely NOT built into IE. I tell all of my customers to AVOID IE like the plague. Simply using Chrome or Firefox works wonders in terms of keeping the malware out. Add-ons like AdBlock, NoScript, WebOfTrust, and Ghostery also help, along with switching to OpenDNS, AND keeping your firewall ON on your desktop/notebook/tablet as well as on the router. There is no one thing that will keep your machine safe; you need layers of protection

Not using Windows also makes a huge difference. Statistically speaking, Mac OS and Linux are much safer alternatives, despite what all of the security experts say. I fix computers for a living, have been doing it for 25 years, and the ONLY OS that I EVER have to remove viruses/malware/ransomware/rootkits from is Windows. Period.

" Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.........On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer........The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages."

AdBlock Plus is most definitely NOT built into IE. I tell all of my customers to AVOID IE like the plague. Simply using Chrome or Firefox works wonders in terms of keeping the malware out. Add-ons like AdBlock, NoScript, WebOfTrust, and Ghostery also help, along with switching to OpenDNS, AND keeping your firewall ON on your desktop/notebook/tablet as well as on the router. There is no one thing that will keep your machine safe; you need layers of protection

Not using Windows also makes a huge difference. Statistically speaking, Mac OS and Linux are much safer alternatives, despite what all of the security experts say. I fix computers for a living, have been doing it for 25 years, and the ONLY OS that I EVER have to remove viruses/malware/ransomware/rootkits from is Windows. Period.

There is an ad blocker for IE, Simple Adblock. I can't say if it's as good as Adblock Plus or as current since I rarely use IE (and am on a Mac now).

Another thing to watch out for is shortened links. I know, obvious, but it wasn't mentioned. Seeing "bit.ly/YTE653HG85Gj" tells you nothing, so don't click unless you know it's from a safe source (whose email/FB/whatever has not been hijacked!).

This has been the reality for years now. I have to tell clients regularly that it's no longer just the "Dark Side" of the Net that will infect them. The Wild West reality of the Net would curl most folks' hair if they really understood how dangerous it can be to surf even otherwise reputable sites.

This.

DO NOT browse the web (or receive e-mail for that matter) while logged in as local admin. Do not as much as touch a web browser if your account is local admin.

Get rid of java and flash browser plugins. Or just get rid of all browser plugins.

Run the latest browser. Doesn't matter which one as long as it's latest build.

Keep the OS up to date with autoupdates.

Leave the OS firewall running, and have a hardware firewall/router in front of the computer too.

Run a good real time AV scanner. Do not assume it will pickup everything. On the contrary. Be aware of all processes typically running on your machine and scrutinize anything you don't recognize. Especially if it's a module injected into an OS process, or is a separate process running from a location inside your user profile.

Business users: strongly recommend deploying an HTTP proxy and strip all the potentially dangerous MIME types and file extensions.

So what you're saying, in essence, is don't use your browser to do any of the things that 99% of the world uses their browser for anymore. Either that, or perhaps you are advertising for your consulting services in a roundabout way. You'd think after decades of this completely alien to the thought processes of normal computer users this sort of "advice" would change.

One of words of wisdom that I abide by with technology is this: Security is simplicity. How do you refine the exact needs of your computing experience to the point where only the software you use and rely upon is on your device. Macs tend to use this practice out of the box, and Linux distro's like Ubuntu as well. Windows 8 exercises this on a clean machine, but sadly when most people buy a new Windows machine, it's usually not clean.

An example of insecure computing are PC's that are bought from Walmart that are preloaded with trialware that convolutes the system and slows things down. Often services like Java and Flash are preinstalled and already out of date, and Norton/Mcafee are installed with 30 day trials while conveniently Microsoft Security Essentials is disabled. There's so much room for vulnerabilities, and misunderstanding of your computing device.

--

Now there are exceptions to this, and tech whiz's can certainly manage an unwieldy machine. But most of us who have installed machines for mothers, fathers, grandmothers, grandfathers know perfectly well that how we set up their software determines whether they are calling us back any time soon. We know to set a safe browser that auto updates, a free unintrusive antimalware that updates itself. Basically we Mac-ify the PC for them. We eliminate popups and unneeded dialogue boxes, and we narrow it down to the basics. That in a nutshell is good PC security practices.

Here's the dilemma: How do you support your favorite site by not using ad-blocking software such as ABP and NoScript, yet still do everything in your power to keep yourself safe from all forms of browser hijacking?

With articles like this, I'm a little surprised Ars hasn't done a guide on how to properly "lock-down" your machine from drive-by and zero-day threats.

You guys just did an excellent article on using password managers, so how about this? I already use proactive security measures like EMET to mitigate the capabilities of drive-by and zero-day exploits, but it's hard to really convince others to use it.

I'd love if you guys could make a nice easy to follow article explaining the ways one can best secure their operating systems; Windows, OS X and the most consumer popular Linux Distros. I know all the nitty gritty for Windows like EMET, creating an SRP, running as standard user and having UAC set to maximum, but it's easier to get your friends and family to follow your advice when it comes from an "official" source.